Azure Active Directory B2B: How it works

B2B is based on invitation model which lets you enable access to your corporate applications from partner-managed identities. You can provide email along with the applications you want to share and send invitation to your partners, customers or anyone else who have account in Azure Active Directory. Azure AD sends them an email invite with a link. The partner user follows the link and is prompted to sign in using their Azure AD account or sign up for a new Azure AD account.

How it works

You Azure AD admin can invite other users using structured CSV file which he uploads using Azure portal.

The portal sends invitation to all of the users specified in the uploaded file.

Each user who receive such email can click generated link and will be prompted to sign in using their work credential if they are already in Azure AD. If you doesn’t have an account, B2B collaboration has a streamlined sign-up experience to provide Azure AD accounts to your business partners.

Then user is redirected to an application to which they were invited.

Partner users exist in your Azure AD as external users. This means your admin can assign them to groups or roles and manage access to your apps independently of your business partner's account lifecycle.

CSV file format

Current version of B2B collaboration requires CSV file in which we are specifying users to be invited. There are two groups of fields.

Required:

Email – email address of user to invite

DisplayName – display name of user to invite

InviteConcatUsUrl - URL to include in email invitations in case the invited user wants to contact your organization

Optional:

InviteAppID - The ID for the application to use for branding the email invite and acceptance pages

InviteAppResources – AppIDs of applications to assign users.

InviteGroupResources – ObjectIDs for groups to add user to.

InviteReplayURL - URL to which to direct an invited user after invite acceptance. This should be a company-specific URL.

Applications IDs which we can specify in InviteAppResources can be easily retrieved using PowerShell and calling:

Please remember that first row of labels is required and spelling must match the fields specified above. It’s necessary for the CSV file to be parsed successfully. For optional fields that aren't needed, their labels can be removed from the CSV file and the entire column can be left empty.

Current preview limitations

Invites are possible only via CSV, individual invites and API access are not supported.

Only Azure AD Global Administrators can upload *.csv files.

There are limitations to consumer email addresses – emails such as gmail.com, hotmail.com are not currently supported.